<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Dovecot Master User: Access user's mailbox without owner's password.</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="dovecot-master-user-access-users-mailbox-without-owners-password">Dovecot Master User: Access user's mailbox without owner's password.</h1>
<p>iRedMail-0.8.6 and later releases have Dovecot Master User enabled for all
backends (OpenLDAP, MySQL/MariaDB, PostgreSQL) by default, what you need to do
is adding new master user.</p>
<p>Dovecot is configured to query master user accounts from file
<code>/etc/dovecot/dovecot-master-users</code>, you can update this file to add or remove
master user.</p>
<p>The format is simple:</p>
<pre><code>username:password
</code></pre>
<p>You can generate a password supported by Dovecot first. for example, SSHA512.
Let's generate password hash for our password <code>my_master_password</code>:</p>
<pre><code># doveadm pw -s SSHA512
Enter new password: my_master_password
Retype new password: my_master_password
{SSHA512}B0VHomJaMk6aLXOPglgNgJtCUA8JRnOweAwJxRW6NPWSNZ25rG/L6T05DJXH+t8WCQkemBilgkcEi6mq4Kadssivtts=
</code></pre>
<p>You can now pick up any username you like, for example, <code>my_master_user@not-exist.com</code>.
Now add new master user in file
<code>/etc/dovecot/dovecot-master-users</code> like below:</p>
<pre><code>my_master_user@not-exist.com:{SSHA512}B0VHomJaMk6aLXOPglgNgJtCU...
</code></pre>
<p>Now you can access <code>user@domain.ltd</code>'s mailbox (via either IMAP or POP3
protocol) as user <code>user@domain.ltd*my_master_user@not-exist.com</code> with password
<code>my_master_password</code> with Roundcube webmail (it should work with other MUAs).</p>
<p>WARNING:</p>
<ul>
<li>
<p>Make sure file <code>/etc/dovecot/dovecot-master-users</code> is owned by Dovecot
  daemon user and group, with file permission <code>0500</code>, so that others cannot view
  the file content.</p>
<ul>
<li>on Linux/FreeBSD, Dovecot daemon user/group is <code>dovecot/dovecot</code>.</li>
<li>on OpenBSD, Dovecot daemon user/group is <code>_dovecot/_dovecot</code>.</li>
</ul>
</li>
<li>
<p>If you don't append a (non-exist) mail domain name in Dovecot Master User
  account, Dovecot will use the domain name of your login username. For example,
  if your real user is <code>myuser@mydomain.com</code>, when you try to access this user's
  mailbox as Dovecot Master User <code>myuser@mydomain.com*my_master_user</code>, it will
  trigger Dovecot to verify user <code>my_master_user@mydomain.com</code> which doesn't
  exist on your server, then this login attempt fails.</p>
</li>
</ul>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>If it doesn't work for you, please enable debug mode in Dovecot and check
its log file. If you don't understand what the log says, please create a new
topic in our forum and paste related log:</p>
<ul>
<li><a href="./debug.dovecot.html">Debug Dovecot</a></li>
<li><a href="https://forum.iredmail.org/">iRedMail online support forum</a></li>
</ul>
<h2 id="references">References</h2>
<ul>
<li>Dovecot document: <a href="https://doc.dovecot.org/configuration_manual/authentication/master_users/">Master users/passwords</a></li>
</ul><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>